SMEs: Open for business
Often overlooked when it comes to IT security, vendors and attackers are shifting their attention to smaller enterprises. Steve Gold reports.
IT security technology has come a long way in a relatively short space of time, with almost all risks being countered by a variety of hardware, software, systems and services. This has much improved the lives of IT managers within major corporations, who can usually employ specialist staff to understand the nature of the IT security paradigm and take appropriate steps.
At the other end of the business scale, however, few small to medium-sized enterprises (SMEs) - defined as a company of between 50 and 250 employees - have the luxury of a dedicated IT security manager.
In fact, many SMEs do not even have a full-time IT manager, relying instead on a few knowledgeable, and often self-taught, members of staff, and fall back on the services of a local IT company.
Against this backdrop, it's hardly surprising that SMEs have become something of a Cinderella of the IT security world, with only a handful of vendors offering SME-specific IT security products.
This situation is now beginning to change, with a range of recent launches targeting the SME market. Sophos Security Suite was launched in November 2006 against the backdrop of research that concluded that most small businesses are failing to adequately protect themselves from malicious attacks.
The company used to offer the same anti-virus and anti-malware product for all its customers, whether they were major corporates or small companies with a handful of employees, according to Graham Cluley, senior technology consultant at Sophos.
"Times have moved on, so we have recently developed the strategy of offering Sophos Security Suite, as well as a range of appliances, aimed specifically at SMEs," he says.
His company decided to invest in this sector because a growing number of SMEs are looking for simple-to-install security software and/or appliances to protect their IT resources, he adds. Cluley says the software was designed specifically for users who have limited technical expertise.
Lack of diligence
His company questioned more than 540 small businesses across the UK in September last year and found that 64 per cent were not updating their anti-virus software in a timely manner. This made Sophos realise that an organisation could have the best IT security system in the world, but if the product is not updated regularly, its overall efficiency rapidly falls away.
"What SMEs are looking for is an IT product they can set up and forget, which is why we tend to favour an appliance for this section of the market. We also have the software option, but the device works out of the box and updates itself in the background," Cluley says.
Sophos's appliances have what is known as a "heartbeat", a series of diagnostics that are relayed back to the vendor's headquarters on a regular basis. "These allow our technical staff to know when something is going wrong, sometimes even before the client knows what's happening," explains Cluley. "In some cases, for example, we've discovered that the appliance has been unplugged, and we can notify the client to take remedial action, before anything nasty happens."
He admits that, during the 1990s, the IT security industry may have overlooked certain elements of the SME marketplace, but claims that this has changed.
According to Nick Lowe, Check Point's regional director for Europe, the current trend towards vendors developing specific solutions for the smaller businesses started around five years ago. "Until that point, most SMEs had an anti-virus application installed on their PCs and thought they were covered," he says. "Since then, there's been a growing realisation that a complete security system is needed, but there has also been the cost associated with such systems to consider."
The last couple of years, however, have seen the price of complete security systems, usually in the shape of a security appliance, fall steadily in line with the cost of PC hardware. "SMEs are now moving away from simply having a router with a few added security systems to a more complex device, typically an appliance, that they can install out of the box," Lowe says. As a result, Check Point has developed the Power range for SME customers, which includes united threat management.
The reseller's perspective
Ian Kilpatrick, managing director of Wick Hill Group, an IT security products distributor with offices in the UK and Germany, says that IT security vendors have only recently begun to truly address the needs of the SME sector. "The problem has been that it's only in the last year or so that vendors' actions have started to match their words. Prior to that, there were a lot of promises, but little real action," he claims.
Kilpatrick also favours IT security appliances because of their set-it-and-forget-it approach. "We also sell Kaspersky software, so we service all types of SME clients, but the appliances are very useful for this end of the market."
One problem area for SMEs in recent times, he adds, has been united threat management (UTM) appliances - servers that contain multiple IT security software packages. "UTM has been marketed by the industry as the ultimate security protection, but the price of real processing power has only recently fallen to levels where SMEs will buy the high power machines they need to run UTM," he explains.
As a result, the technology has gained something of bad name in the SME market, with some users having to switch off certain elements of their UTM systems in order to run other elements.
"It's no good if you have to turn off your firewall in order to run the anti-spam software on your UTM server," Kilpatrick complains, although he adds that the falling cost of hardware in the past year has helped alleviate this situation.
He is also sceptical about the role that direct-sell vendors such as Dell can play in the SME IT security space, citing the difference between consumers buying high-end TVs from the likes of Currys and the need for specialist resellers to supply IT security products.
"With a high-end TV, consumers walk into a shop prepared to buy a large-ticket item, and they know a bit about the product they want to purchase. With IT security for SMEs, customers simply don't have that knowledge. That's why you need a dealer to give them specialist advice on what to buy," he insists.
WHY SMEs SHOULD BE WORRIED
Gunter Ollmann, director of X-Force at Internet Security Systems, warns that SMEs are increasingly likely to be targeted by criminal gangs. They are seen as an attractive proposition since they generally have lower security budgets than large enterprises, which makes them more vulnerable.
"They also often have less mature internal security practices, such as staff training and desktop security enforcement," Ollmann adds. He argues that these factors, coupled with the fact that major corporations are now much harder to crack, make SMEs a softer target to attacks. On top of the frequent lack of internal security experts, incident response is generally poor, which means a criminal gang is more likely to escape with the booty and evade detection, he claims.
Interestingly, Ollmann and his team have concluded that it is difficult to assess which categories are doing the attacking. "It's anyone and everyone, ranging from automated bots just cycling through IP address ranges, right through to targeted phishing groups seeking to compromise the desktop systems of unsuspecting users and sell any information they retrieve," he explains.
Ollmann notes that SMEs with strong internet presence and international brands are frequently the higher priority in targeted attacks.
THE DIRECT APPROACH TO SELLING SECURITY PRODUCTS
While the majority of vendors selling in the IT security space use indirect sales channel such as dealers and retail stores to promote and support their products, one company that stands out against this trend is Dell.
The company surprised many in the IT community in late 2006 when it stopped offering sales commissions for dealers and systems integrators. Instead, it started effectively routing all its sales through the direct-sell catalogue, internet and telephone channels.
According to Roelof Holwerda, head of partner marketing at Dell, the firm maintains very close ties with a number of security companies, including McAfee, in order to offer the right solutions to its SME customers.
"We always approach the sale of one or more PCs to our business customers on a packaged basis," he explains. "You wouldn't, for example, buy a car these days without air bags, and we consider the IT security software on a PC the equivalent."
Dell maintains an outbound call centre that regularly contacts new and existing SME customers, to check on what systems and any problems they may have and to explain what options are available.
This pro-active approach, Holwerda says, is extremely well-received by even the smallest business, since it allows customers to tell the support staff of any problems with their PCs.
Holwerda dismisses suggestions that Dell SME customers are better off buying their IT security protection from a third party and installing it themselves.
"We preload the software at the factory, so that it works on an out-of-box basis. This helps the SME in terms of time and resources they often don't have," he explains. "We also have volume sales agreements with McAfee and others."
CASE STUDY - TRADE SERVICE INFORMATION
Trade Service Information (TSI) is a data warehousing company that provides data feeds of product and pricing information for contractors and suppliers under the Luckins brand name. It mainly works with the UK electrical and mechanical engineering industry.
The Lincolnshire-based firm needed a complete spam, virus and malware filtering system to protect its IT resources, particularly since its core business is the supply of data to third-party companies. During 2006, the firm reported that spam had become a major issue, accounting for around 89 per cent of all incoming email. It also placed a serious load on the Exchange Server, taking up more than four gigabytes of storage space each month and resulted in increased administration for the IT department.
TSI chose SurfControl's RiskFilter, a hardened Linux-based system that automatically blocks spam, viruses, phishing and other forms of malware.
According to Kevin Gutteridge, TSI's technical services manager, the excessive volume of spam was a significant burden, and meant three or four hours downtime every few weeks in order to manually remove rogue emails. The RiskFilter system put an end to that problem, he says, with 100 per cent of spam being eliminated before it got to the company network.
"This ensures the server runs efficiently, and that the data contained on it is protected from external threats," he says, adding that it has greatly reduced the administration required.
One benefit of RiskFilter is its ability to generate statistical reports relating to the volume and type of spam being detected and blocked from entering the network. As Gutteridge puts it, an important element of managing the IT infrastructure is knowing your enemy, or "being able to gauge the size and nature of the threat so you can develop effective policy to combat it".
The reporting mechanism showed that large volumes of spam had been arriving in the mailboxes of former employees, and remained there, taking up valuable network space, slowing down the server and causing an internal security threat.
RiskFilter not only identified this issue, it also solved it, blocking future spam and ensuring optimum network performance.
The overall risk of infection has been reduced dramatically, ensuring all business assets - from employees to internal databases and intellectual property - are protected.